A reader reported (thanks @Scott) that he is observing a sudden jump in DNS Traffic all asking for the same thing. Here is a snip from logs, slightly edited.
Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#55148: query: gd21.net IN TXT +E Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#63757: query: gd21.net IN TXT +E Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#50037: query: gd21.net IN TXT +E Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#57822: query: gd21.net IN TXT +E Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#21294: query: gd21.net IN TXT +E Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#6076: query: gd21.net IN TXT +E Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#27221: query: gd21.net IN TXT +E Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#34485: query: gd21.net IN TXT +E Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#56117: query: gd21.net IN TXT +E ** used with permission ** gd21.net seems to link to a Korean Shopping site of some kind. As always, use caution when following links
Richard Porter --- ISC Handler on Duty |
Richard 168 Posts ISC Handler Jul 24th 2012 |
Thread locked Subscribe |
Jul 24th 2012 8 years ago |
We've seen this sort of thing in the past, but it was a Spoofed UDP packet doing an ANY request for ripe.net on an open resolver.
Of course the spoofed source was the IP being attacked. |
Yinette 12 Posts |
Quote |
Jul 24th 2012 8 years ago |
As the original reporter, I can say the source is not spoofed. I have OSSEC adding "shuns" to our ASA based on source and that immediately stops that particular request, showing the requesting address is not spoofed.
|
Yinette 7 Posts |
Quote |
Jul 25th 2012 8 years ago |
Jul 24 2012 20:16:47: %ASA-4-401004: Shunned packet: XXX.XXX.218.92 ==> XXX.XXX.18.114 on interface outside
sh shun stat | include XXX.XXX.218.92 Shun XXX.XXX.218.92 cnt=23577, time=(8:04:13) |
Yinette 7 Posts |
Quote |
Jul 25th 2012 8 years ago |
It seems like most of the packets being sent over and over are coming from the same ip address which would indicate a DOS attack.
|
Yinette 3 Posts |
Quote |
Jul 25th 2012 8 years ago |
nope. When it started I had around 40 shuns/IPs, once we reconfigured OSSEC to automatically block the queries new IPs cropped up within a few seconds (30-60 sec). I am up to 500+ shuns now. Now, new attacks show up every 3-4 minutes.
|
Yinette 7 Posts |
Quote |
Jul 25th 2012 8 years ago |
@Eric - I should qualify my last statement: my log portion above was just one IP from many. There seems to be no common thread as to where the IPs are coming from.
|
Yinette 7 Posts |
Quote |
Jul 25th 2012 8 years ago |
That's interesting that you can't identify where the IPs are coming from. How long has this attack been going on for?
I see that from the above logs posted that it was happening this afternoon at 12:31PM. |
Yinette 3 Posts |
Quote |
Jul 25th 2012 8 years ago |
> That's interesting that you can't identify where the IPs are coming from.
Not interesting at all -- the only TCP packets that are being received contain _only_ the "spoofed" IP-address, not the IP-address of the sender. One needs to have access-rights to all the routers between the "target" and the actual "source", in order to find the packets that are going through the router to the target. Some router is not doing "egress-filtering" -- i.e., not blocking packets that contain "source" information that is not "inside" the network from where the packets are originating. Such "spoofing" is common on the Internet -- how many E-mail messages have I received that claim to be from 'info@fbi.gov' or from 'helpdesk' at my ISP ? |
Anonymous |
Quote |
Jul 25th 2012 8 years ago |
@ Scott. Is it just IN TXT records being queried? Could the source addresses be DNS or SMTP servers? Could this be side effect of a big Spam run using the gd21.net domain in the From: field?
|
Anonymous |
Quote |
Jul 25th 2012 8 years ago |
when I said "I cant identify where they are coming from" I mean there is no one geographic location. They are coming from Brazil, the US, etc...
@George - Yes, the query is looking for gd21.net IN TXT +E. Interesting thought, I'll check a few and see what ports may be open. The few I looked at yesterday seemed to be DSL customers, so I suspect its a botnet of some type. Also, I dont seem to be making myself clear. The IPs do NOT appear to be spoofed. This is from the ASA's log this morning: Jul 25 2012 10:03:28: %ASA-4-401004: Shunned packet: XXX.232.121.191 ==> XXX.215.18.114 on interface outside and from the config: shun (outside) XXX.232.121.191 0.0.0.0 0 0 0 That indicates that the shun is in fact preventing an INBOUND connection from that IP to our servers, so the IP is not spoofed. Also, if it was spoofed the shuns would not be useful in reducing the crushing traffic. They are working quite well, and traffic is down to normal levels. I am starting to think this may just be a D-DOS against our DNS since any given IP is sending several queries a second and there are many hundreds of IPs querying us. |
Anonymous |
Quote |
Jul 25th 2012 8 years ago |
@Scott I was thinking it might be a bot. Well that's good that the traffic is down to normal levels.
Yeah the open ports could be also a clue. |
Anonymous |
Quote |
Jul 25th 2012 8 years ago |
Ok after some (very) patient discussion with me, the SANS guys allowed me to see the forest for the trees. The source IPs are likely spoofed, and while my shuns blocked the spoofed IP, the attacker would just move to the next spoofed target. The simple solution was to disable recursion for all but what IPs we need. (That creates a few issues, but nothing we cant work through)
Again, thanks guys for helping pound this through my thick skull. S. |
Anonymous |
Quote |
Jul 25th 2012 8 years ago |
This looks to me like traffic from a DNS Reflection DDOS attack. The TXT records are larger in size than the original DNS query therefore there is a traffic amplification often of the order 60:1 .
|
Anonymous |
Quote |
Jul 30th 2012 8 years ago |
DNS Reflection Attack How To :
1) Register a domain and host it 2) Add a TXT record 3) Find some name servers that allow recursion and prime them for the attack by querying your DOMAIN TXT record. 4) Find a internet connection without egress filtering 5) Spoof DNS requests at your primed name server which will flood the target network with traffic with an amplification of roughly 60:1 depending on what you set you TXT record to be. A 5GB per second attack can be achieved this way with around 200 bots. DDJ |
Anonymous |
Quote |
Jul 30th 2012 8 years ago |
Looks like you are helping take http://cybercrone.kr/ down
DDJ |
Anonymous |
Quote |
Jul 30th 2012 8 years ago |
.cyberone.kr. rather :)
|
Anonymous |
Quote |
Jul 30th 2012 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!